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Abstract 

In recent years, a great amount of secure communications systems 
based on chaotic synchronization have been pubhshed. Most of the pro- 
posed schemes fail to explain a number of features of fundamental im- 
portance to all cryptosystems, such as implementation details, or key 
definition, characterization, and generation. As a consequence, the pro- 
posed ciphers are difficult to realize in practice with a reasonable degree 
of security. Likewise, they are seldom accompanied by a security analysis. 
Thus, it is hard for the reader to have a hint about their security and 
performance. In this work we provide a set of guidelines that every new 
cryptosystem would benefit from adhering to. The proposed guidelines 
address these two main gaps, i.e., correct key management and security 
analysis, among other topics, to help new cryptosystems be presented in a 
more rigorous cryptographic way. Also some recommendations are made 
regarding some practical aspects of communications, such as implemen- 
tation, channel noise, limited bandwith, and attenuation. 
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1 Introduction 

Modern telecommunications networks, and specially Internet and mobile tele- 
phones, have expanded the possibilities of user communications and information 
transmission to limits unimaginable a short time ago. There is a parallel growing 
demand of cryptographic techniques, which has originated an intense research 
activity and the search of new directions in cryptography. As a result, a rich 
variety of chaotic cryptosystems for end to end communications have been put 
forward 12] , whose robustness and privacy are equally diverse. 

There exist two main approaches to chaotic ciphers design: analog and digi- 
tal. The first one is based on the concept of chaotic synchronization 3 . In these 
systems, the information can be transmitted by the chaotic signal in a number 
of ways: chaotic masking ^ El 13 IH| j in which the analog message signal m{t) 
is added to the output of the chaotic generator x{t) in the transmitter; chaotic 
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switching or chaos shift keying (CSK) [51 ^j, in which a binary message sig- 
nal is used to choose between different chaotic attractors; chaotic modulation 
|11[I12[[T^I14| . in which a binary message modulates a parameter of the chaotic 
generator or when spread spectrum techniques are used to multiply the message 
signal by the chaotic one; and chaos control |15l 1161 ITT) , in which small pertur- 
bations cause the symbolic dynamics of a chaotic system to track a prescribed 
symbol sequence. Regardless of the method used to transmit the message sig- 
nal, the receiver has to synchronize with the transmitter's chaotic generator to 
regenerate the chaotic signal x{t) and thus recover the message m(t). 

The second approach to the design of chaos-based cryptosystems consists of 
using digital computers to iterate a chaotic map and mask the binary message 
in a number of ways ^1 El 1201 1^ 1221 l2Si ■ These ciphers do not depend on 
synchronization. Instead, they usually use one or more chaotic maps where the 
initial point xq and the parameter value A play the role of the key. 

Most papers on this topic are published in physics and engineering journals 
and conferences, but not within the cryptography community. This explains 
why up to date little or no critical analysis has been made about the design 
process of these cryptosystems nor to the way the results are presented. Quoting 
Feng Bao [21]: "The common annoying feature of the cryptosystems based on 
some mathematical models, e.g., those based on chaos systems, is that only the 
principle is given. They lack details, such as recommended key sizes and key 
generation steps, etc. Therefore it is not possible for others to implement the 
ciphers." 

We have detected that a systematic approach to the design and security eval- 
uation is missing. To fill this void, in this paper we give some guidelines which 
should benefit new chaos-based cryptosystems. Following these guidelines, pro- 
posed cryptosystems would be presented in a more rigorous cryptographic way. 
Otherwise, they tend to be information concealment methods to frustrate the 
casual eavesdropper, but in no case the determined attacker and will not be 
taken seriously by cryptologists. 

The paper is organized as follows. Sec.|211ists requirements about the mini- 
mum practical details of the chaotic implementations that should be provided. 
In Sec. 121 the most important key related issues are discussed. In Sec. 01 the 
recommendations about how to make a security analysis are given. In Sec. [31 
some basic but decisive considerations about the channel properties are offered. 
Sec. ini concludes the paper. 

2 The Implementation 

For many chaotic systems, only basic concepts are described and implementation 
details are neglected. However, generally speaking, implementation details are 
important for cryptanalysts to judge whether or not there exist security defects. 
Also, it is obvious that the encryption speed and the implementation cost depend 
on such details. Therefore, the lack of implementation details makes it difficult 
to estimate the significance of the proposed cryptosystem, i.e. to analyze its 
security and overall performance. 



2.1 The implementation of the chaotic systems 

As we introduced in Sec. ^ there are two basic approaches to design chaotic 
ciphers: analog and digital. The first one is generally based on chaos synchro- 
nization, and the concerned chaotic systems are implemented in analog form. 
The second one is independent of chaos synchronization and the chaotic sys- 
tems are completely implemented in digital computers. Additionally, in some 
conditions, the chaotic systems may be implemented in combined form, that is 
to say, both analog and digital parts are involved. 

When analog parts are involved, the circuit diagrams to generate chaos 
should be given with enough details. When digital parts are involved, the follow- 
ing details should be given: the finite computing precision, the adopted digital 
arithmetic (fixed-point or floating-point), hardware/software configuration, etc. 
When both analog and digital parts are involved, details on A/D and D/A 
interfaces should also be described. 

Rule 1 It should be thoroughly described how to implement the chaotic systems. 

When the chaotic systems are (completely or partially) implemented in dig- 
ital form, dynamical degradation will occur. This problem has been extensively 
studied in the last two decades, and it has been clarified that such dynami- 
cal degradation may cause security defects in chaos-based cryptosystems. To 
overcome this problem, some methods should be used to improve dynamical 
degradation of digital chaotic systems. A considerable countermeasure is to 
timely perturb the chaotic systems with a small pseudo-random signal. For 
more details, please refer to §2.5 of |25|. in which Shujun Li gives a comprehen- 
sive review on this issue. 

Rule 2 For chaotic systems implemented in digital form, the negative dynam- 
ical degradation should be taken into consideration. 

2.2 The implementation of the cryptosystem 

In the cryptography community, there are two well-known sayings: "it is quite 
easy to design a secure but very SLOW cipher" , and "it is quite easy to design 
a secure but very LARGE cipher" . If the security of a chaotic cryptosystem is 
reached with the loss of working efficiency, then its significance will be trivial 
and will not be accepted by pure cryptographers. 

Rule 3 Without loss of security, the cryptosystem should be easy to implement 
with acceptable cost and should work with acceptable speed. 

3 The key 

A fundamental aspect of every cryptosystem is the key. An algorithm is as secure 
as its key. No matter how strong and well designed the algorithm might be, if 
the key is poorly chosen or the key space is small enough, the cryptosystem 
will be broken. Unfortunately, most chaotic secure communications schemes 
proposed to date fail to clearly, if at all, explain what the key is, how it should 
be chosen, and to thoroughly describe the available key space. 
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Figure 1: Bifurcation diagram for the Rossler attractor when a = & = 0.1 and c 
is varied. 

3.1 Key definition 

A cryptosystem cannot exist without a key. Otherwise, it might be considered as 
a coding system, but never regarded as a secure system. In every cryptosystem 
an important effort must be devoted to clearly define and characterize the key. 
Many chaos-based secure communication systems proposed in the Hterature do 
not specify what the key is. It is assumed that the key must be made from the 
parameters of the chaotic system, but it is not clearly stated which parameters 
are, which their range is and what their precision or sensibility is. 

Rule 4 What the key is should be thoroughly defined. 

3.2 The key space 

Once the key has been defined, it is equally important to characterize it, i.e., 
the key space must be studied in depth. 

The size of the key space is the number of encryption/decryption key pairs 
that are available in the cipher system. The symbol v is used to denote a key 
and the symbol V to denote a set of keys. Since the total number of possible 
keys is equal to r — |V|, the set V or key space can be expressed as 

^ ^ {vi,V2,.-.,Vr}. (1) 

In classical cryptographic algorithms based on number theory, the key is 
usually a string of random bits generated by some automatic process. If the 
key is n bits long, then every possible n-bit key must be equally likely, with 
probability 2^". 

In most chaotic schemes, though, the key space is nonlinear because all the 
keys are not equally strong. We say that a key is weak or degenerated if it is 
easier to break a ciphertext encrypted with this key than breaking a cipher- 
text encrypted with another key. There exist keys giving rise to non-uniformly 
distributed chaotic values. As shown in Fig. ^ bifurcation diagrams help to 



discover the intervals for which a given parameter originates periodic orbits. 
These values should be avoided, and the chaotic bands should be preferred. 

When many parameters are used simultaneously as part of the key, the 
mutual interdependence complicates the task of deciding which are the good 
intervals. In any case, the authors of the proposed cryptosystem should conduct 
a study of the chaotic regions of the parameter space from which valid keys, i.e., 
parameter values leading to chaotic behavior, can be chosen. Depending on the 
number of parameters chosen as part of the key, this region will have 1,2,3,... 
dimensions. 

A possible way to describe the key space might be in terms of positive 
Lyapunov exponents. According to P- 196], let f be a map of R™, m > 1, 
and {xq, Xi, X2, . . . } be a bounded orbit of f . The orbit is chaotic if 

1. it is not asymptotically periodic, 

2. no Lyapunov exponent is exactly zero, and 

3. the largest Lyapunov exponent is positive. 

The largest Lyapunov exponent can be computed for different combinations 
of the parameters. If it is positive, then the combination can be used as a valid 
key. In Fig. 13 the chaotic region for the Henon attractor has been plotted 
following this criterion. This region corresponds to the keyspace. In general, 
parameters chosen from the lower white region give rise to periodic orbits, while 
parameters chosen from the upper white region give rise to unbounded orbits. 
Both regions should be avoided to get suitable keys. Only keys within the black 
region are good. And even within this region, there exist periodic windows, 
unsuitable for robust keys. 

However, this type of irregular and often fractal chaotic region shared by 
most secure communication systems proposed is inadequate for cryptographic 
purposes because there is no easy way to define its boundary. Complete chaotic- 
ity for any parameter value should be preferred. A simple map which behaves 
in this way is the following skew tent map with a control parameter p G (0, 1) 
(see also Fig. 



For any control parameter p G (0,1), the above piecewise linear map is 
always chaotic. In fact, for a piecewise linear chaotic map F : X ^ X, ii 
each linear segment is mapped onto X, the map will be chaotic and have many 
desired dynamical properties ^7^, §3.2.1]. Following such a result, as long as the 
control parameter does not change the mapping of each linear segment onto X, 
the obtained chaotic map will be good to construct chaotic cryptosystems. 

Rule 5 The chaotic region which constitutes the key space V from which valid 
keys are to be chosen should be thoroughly specified. 

It is sometimes taken for granted that the security of the encryption scheme 
is related to the size of the key space. A necessary, but not sufficient, condition 
for an encryption scheme to be secure is that the key space be large enough 
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Figure 2: Skew tent map with a control parameter p. 

to frustrate brute force attacks (see Sec. I4.4|) . If the chaotic region does not 
meet this requirement, then it should be enlarged accordingly. However, the 
solution is not as simple as discretizing the region with a finer grain, because 
this could lead to equivalent keys, i.e., the same ciphertext is decrypted by two 
different keys. When two different keys are very close to each other, they could 
decrypt part or all the ciphertext. The safeguard between adjacent keys should 
be defined. In other words, the chaotic region should be discretized. In chaotic 
regime, the sensitivity to parameters will guarantee that two orbits starting 
from the same initial point but with slightly different parameters will diverge 
(the divergence rate is given by the Lyapunov exponents). However, the need 
for synchronization sometimes allows for an important parameter mismatch. 

From a cryptographic point of view, the secret parameter should be sensitive 
enough to guarantee the so-called avalanche property: even when the smallest 
change occurs for the parameter, the ciphertext will change dramatically. Ide- 
ally, mathematical expectation of the change of ciphertext is half of the maximal 
value of all possible ciphertexts. For example, a natural idea to do so is to iterate 
the employed chaotic system for multiple times |27) . 

Rule 6 The useful chaotic region (the key space Vj should he discretized in 
such a way that the avalanche effect is guaranteed: two ciphertexts encrypted by 
two different keys vi , V2 chosen as close as possible from the key space V will be 
entirely different. 

In some chaotic cryptosystems where more than one parameter is used as 
part of the key, it is possible to fix one of them and try to approximate the 
others. This is an undesirable behavior. Ideally, when the key is made from a 
number of parameters, the recovered signal after an illegal decryption attempt 
should never reveal that the attacker is approaching the exact key when one 
parameter is slowly varied. In other words, the recovered signal should appear 
the same if none of the parameters is guessed as if all but one of the parameters 




Figure 3: Chaotic region for the Henon attractor. 



are guessed. This imphes that the total key space is the product, and not the 
addition, of all the parameters involved. 

Rule 7 Partial knowledge of the key should never imply partial knowledge of 
the cleartext. 

3.3 Key generation 

Once the key has been defined and the key space has been properly character- 
ized, the process to choose good keys should be explained in detail. If some 
parameter ranges are given and the parameter values can be randomly cho- 
sen within these ranges, then it should be clear that there is no possibility of 
generating weak or degenerated keys. 

Sometimes the useful chaotic region has irregular shapes. This shape could 
be enclosed in a regular one, such as a sphere or a cube, and the key could 
be chosen randomly within this regular shape and checked whether it is in the 
useful chaotic region. 

Rule 8 The algorithm or process to generate valid keys from the key space V 
should be thoroughly specified. 

4 Security analysis 

When a new cryptosystem is proposed, it should always be accompanied by 
some security analysis. Although this analysis cannot comprise all the possible 
attacks against the newly created cipher, it should include at least the best 
known attacks and the corresponding results. This analysis helps to spot and 
correct flaws before the new scheme is published. That a cipher is resilient to 
all these attacks does not mean that it is secure, but at least it has undergone a 
certain amount of critical analysis. It is a necessary, but not sufficient, condition 
for security. 

First of all, to resist common attacks, the designed cryptosystem should 
have the following basic cryptographic properties: confusion and diffusion. The 



first property reflects uniformity of all keys, and the second one reflects strong 
sensitivity (avalanche) of the key to small change. Obviously, Rule 6 mentioned 
above corresponds to diffusion. Here, we add a rule corresponding to confusion. 
To achieve confusion, statistical properties of the ciphertext, such as distri- 
bution, correlation and differential probabilities, should be independent of the 
exact value of the key. Many chaos-based cryptosystems are broken because of 
the lack of confusion property, such as E. Alvarez et al.'s cipher proposed in 

m 

Rule 9 For different keys, no distinguishable difference of the ciphertext should 
be found from statistical point of view. 

Next we describe the sort of attacks which should be accounted for. 
4.1 Classical types of attacks 

When cryptanalyzing an encryption algorithm, the general assumption made is 
that the cryptanalist knows exactly the design and working of the cryptosystem 
under study, i.e., he knows everything about the cryptosystem except the secret 
key. This is an evident requirement in today's secure communications networks, 
usually referred to as Kerchoff's principle [2H1 P- 24]. According to |2H1 P- 25], it 
is possible to differentiate between different levels of attacks on cryptosystems. 
They are enumerated as follows, ordered from the hardest type of attack to the 
easiest: 

1. Cipher text only: The opponent possesses a string of cipher text, c. 

2. Known plain text: The opponent possesses a string of plain text, p, and 
the corresponding cipher text, c. 

3. Chosen plain text: The opponent has obtained temporary access to the 
encryption machinery. Hence he can choose a plain text string, p, and 
construct the corresponding cipher text string, c. 

4. Chosen cipher text: The opponent has obtained temporary access to the 
decryption machinery. Hence he can choose a cipher text string, c, and 
construct the corresponding plain text string, p. 

In each of these four attacks, the objective is to determine the key that 
was used. The last two attacks, which might seem unreasonable at first sight, 
are very common when the cryptographic algorithm, whose key is fixed by the 
manufacturer and unknown to the attacker, is embedded in a device which the 
attacker can freely manipulate. Daily life examples of such devices are electronic 
purse cards, GSM phone SIM (Subscriber Identity Module) cards, POST (Point 
Of Sale Terminals) machines, or web application session token encryption. 

Many examples of how to break chaotic cryptosystems with known plaintext 
and chosen plaintext attacks can be found in I^HI EDI 1^ I32L . 

Rule 10 At a minimum, it should be checked whether the cryptosystem is bro- 
ken by simple known plaintext and chosen plaintext attacks. 



4.2 Chaos-specific attacks 



Many different methods have been proposed to attack chaotic encryption schemes, 
both for analog and digital systems. In this paper we will focus on the former. 
There are three possibilities for their cryptanalysis 

1. The extraction of the message signal m{t) from the transmitted ciphertext 
signal c{t). 

2. The extraction of the chaotic masking signal x{t). 

3. The estimation of the parameters of the chaotic receiver, which are chosen 
from the key space V. 

The extraction of the message signal is generally possible if m(t) is a pe- 
riodic signal or consists of periodic frames with sufficient duration. It can be 
accomplished using different methods: spectral analysis techniques |i35j. auto- 
correlation and cross-correlation |27| . filtering, or time series power estimation. 

The chaotic masking signal x(t) can be extracted using time delaying em- 
bedding reconstruction or return maps |36[ I37L I38L . 

Parameter identification can be performed using generalized synchronization 
or spectral analysis. Sometimes it is not even necessary to use approximate 
parameter values because transmitter and receiver are synchronized even under 
severe parameter mismatch j 27j . 

Rule 11 At a minimum, it should be checked whether the cryptosystem is bro- 
ken by well known chaos-specific attacks. 

Also, as we mentioned above, when chaotic systems are implemented in 
digital form, the dynamical degradation can also cause security defects, which 
may bring weak keys and make brute force attacks easier. For examples with 
security defects caused by dynamical degradation of digital chaotic systems, 
please see (or Chap. 4 of ESj). 

4.3 Application-specific attacks 

In some specific applications, there are some special attacks. For example, for 
digital images (videos), unlike normal one-dimensional data, strong correlation 
always exists between different pixels (transform coefficients). Such correla- 
tion information can be used to develop some correlation-based attacks, if the 
information is not successfully cancelled in cipher- images/cipher- videos. 

In addition, in some applications cryptosystems should be specially opti- 
mized to make the encryption more efficient. However, sometimes there exists a 
tradeoff between efficiency and security, and the increment of efficiency causes 
decrement of security. For example, encrypting partial data of plain-videos is 
very useful to promote the encryption speed and make the cryptosystem prac- 
tical, but it is possible to reconstruct partial visual information of plain-videos 
from partial non-encrypted data. 

It is true that different uses of a same cipher in different applications may 
cause different levels of security 031 ■ 



Rule 12 At a minimum, it should be checked whether the cryptosystem is bro- 
ken by well known application- specific attacks. If there exists a tradeoff between 
efficiency and security, explicit criteria should be given to show how to balance 
the two factors. 

4.4 Brute force attacks 

A brute force attack is the method of breaking a cipher by trying every possible 
key. The quicker the brute force attack, the weaker the cipher. Feasibihty 
of brute force attacks depends on the key space size r of the cipher and on 
the amount of computational power available to the attacker. Given today's 
computer speed, it is generally agreed that a key space of size r < 2^°*^ is 
insecure. 

Rule 13 To prevent brute force attacks, the key space size should be r > 2^*^". 

However, this requirement might be very difficult to meet by some proposed 
ciphers because the key space does not allow for such a big number of different 
strong keys. For instance. Fig. O was created using a resolution of 10~^, i.e., 
there are 1400 x 3000 different points. To get a number of keys r > 2^°° ~ 10^°, 
the resolution should be 10^^'^. However, with that resolution, thousands of keys 
would be equivalent, unless there is a strong sensitivity to parameter mismatch, 
which is usually lost by synchronization. 

5 The channel 

Many secure communications systems proposed are tested in Matlab or some 
other simulation program, but not under real conditions. It should be noted 
that a real channel is subjected to noise, has a limited bandwith, and is atten- 
uated. When designing a new secure communications scheme, besides security 
considerations, the channel characteristics should be taken into account, thus 
preventing the system from failing when tested in a noisy, bandwith-limited, 
and attenuated channel. 

Rule 14 The secure communications system should work in a channel with —30 
dB signal/noise ratio, with limited bandwith, and with an attenuation between 
-3 dB and +1 dB. 

6 Conclusions 

We have presented a set of guidelines which are recommended to be adopted 
by every secure communications systems designer. These guidelines do not 
constrain the freedom and creativity of the designer, but, if followed, guarantee 
a reasonable degree of security and cryptographic rigor. In this way, new chaos- 
based cryptosystems will be easier considered by the cryptography community, 
and both worlds will be benefited. 
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